b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                  Customer Account Data Engine 2 (CADE 2):\n                      System Requirements and Testing\n                       Processes Need Improvements\n\n\n\n                                      September 28, 2012\n\n                              Reference Number: 2012-20-122\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n\n Phone Number | 202-622-6500\n E-mail Address | TIGTACommunications@tigta.treas.gov\n Website        | http://www.tigta.gov\n\x0c                                                    HIGHLIGHTS\n\n\nCUSTOMER ACCOUNT DATA ENGINE 2                         infrastructure requirements; all infrastructure\n(CADE 2): SYSTEM REQUIREMENTS                          documentation includes complete traceability to\nAND TESTING PROCESSES NEED                             the requirements being tested and the testing\nIMPROVEMENTS                                           results; IRS testers obtain and maintain\n                                                       documentation to verify test results; test\n                                                       execution practices are consistent; all security\nHighlights                                             requirements and corresponding test cases are\n                                                       identified and sufficiently traced, managed, and\n                                                       tested; all database issues identified by\nFinal Report issued on                                 Vulnerability Detection Scans are resolved or an\nSeptember 28, 2012                                     action plan is developed with specific corrective\n                                                       actions and time periods; and all issues\nHighlights of Reference Number: 2012-20-122            identified by Source Code Security Review\nto the Internal Revenue Service Chief                  scans are resolved and an action plan is\nTechnology Officer.                                    developed with specific corrective actions prior\nIMPACT ON TAXPAYERS                                    to the code being placed into service.\n\nThe implementation of Customer Account Data            In management\xe2\x80\x99s response to the report, the\nEngine 2 (CADE 2) daily processing allows the          IRS disagreed or partially disagreed with three\nIRS to process tax returns for individual              of our eight recommendations. The IRS\ntaxpayers more quickly by replacing existing           disagreed with developing an enterprise-wide\nweekly processing. The CADE 2 system also              program level Requirements Traceability\nprovides a centralized database of individual          Verification Matrix (RTVM) and policy. TIGTA\ntaxpayer accounts, allowing IRS employees to           believes an enterprise-wide approach is needed\nview tax data online and provide timely                to strengthen oversight of traceability controls.\nresponses to taxpayers. The successful                 The IRS also disagreed with the\nimplementation of the CADE 2 system should             recommendation that RTVMs are prepared\nsignificantly improve service to taxpayers and         during the test Initiation Phase. However, as\nenhance IRS tax administration.                        discussed with CADE 2 officials, our report\n                                                       refers to both Requirements Traceability Matrix\nWHY TIGTA DID THE AUDIT\n                                                       and RTVM as \xe2\x80\x9cRTVM.\xe2\x80\x9d\nThe overall objective was to determine whether\n                                                       Further, the IRS stated that automated tools are\nthe CADE 2 Transition State 1 testing activities\n                                                       not always needed for control of requirements\nwere performed in accordance with applicable\n                                                       and test case management for Information\npolicies and procedures.\n                                                       Technology systems development. TIGTA\nWHAT TIGTA FOUND                                       maintains that use of one suite of integrated\n                                                       automated tools would provide needed control\nThe IRS initiated testing of the CADE 2 system,        over volumes of requirements and test cases for\nreduced the risks to the filing season by              IRS systems, including the monumental CADE 2\nimplementing independent contractor                    system development program.\nrecommendations, and performed simulated\nexercises to identify potential issues that could      Lastly, the IRS stated that additional CADE 2\noccur during the filing season. Improvements           documentation is not needed to ensure\nare needed in key controls and processes for           complete traceability of requirements to test\nrequirements management, testing processes,            results. The IRS believes that adequate\nand developer security testing.                        documentation already exists with Government\n                                                       Equipment Lists and environmental checklists.\nWHAT TIGTA RECOMMENDED                                 However, while this documentation does verify\n                                                       that infrastructure components have been\nTIGTA recommended that the Chief Technology\n                                                       acquired and implemented, it does not verify that\nOfficer ensure test cases and other appropriate\n                                                       all CADE 2 processing requirements have been\ndocumentation are properly developed for\n                                                       tested.\n\x0c                                           DEPARTMENT OF THE TREASURY\n                                                WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                         September 28, 2012]\n\n\n MEMORANDUM FOR CHIEF TECHNOLOGY OFFICER\n\n\n FROM:                       Michael E. McKenney\n                             Acting Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 Customer Account Data Engine 2 (CADE 2):\n                             System Requirements and Testing Processes Need Improvements\n                             (Audit # 201120005)\n\n This report presents the results of our review of the Customer Account Data Engine 2 Transition\n State 1 testing activities. Our overall objective was to determine whether testing activities were\n performed in accordance with applicable policies and procedures. This review was requested by\n the Chief Technology Officer and was included in our Fiscal Year 2011 Annual Audit Plan.\n This review addresses the major management challenge of Modernization of the Internal\n Revenue Service.\n Management\xe2\x80\x99s complete response to the draft report is included as Appendix V.\n Copies of this report are also being sent to the Internal Revenue Service managers affected by the\n report recommendations. Please contact me at (202) 622-6510 if you have questions or\n Alan R. Duncan, Assistant Inspector General for Audit (Security and Information Technology\n Services), at (202) 622-5894.\n\x0c                            Customer Account Data Engine 2 (CADE 2): System\n                          Requirements and Testing Processes Need Improvements\n\n\n\n\n                                            Table of Contents\n\nBackground .......................................................................................................... Page 1\n\nResults of Review ............................................................................................... Page 3\n          The Internal Revenue Service Performed Extensive Testing,\n          Planned Risk Reduction, and Implemented Controls Over\n          CADE 2 Transition State 1 System Development ........................................ Page 3\n          Requirements Management Controls Need Improvement\n          to Ensure Long-Term Success of the CADE 2 Program .............................. Page 5\n                    Recommendation 1:........................................................ Page 7\n\n                    Recommendation 2:........................................................ Page 8\n\n          Test Management Controls Need Improvement to Ensure\n          Long-Term Success of the CADE 2 Program............................................... Page 8\n                    Recommendations 3 through 5:......................................... Page 15\n\n          Identified Security Issues Need to Be Resolved ........................................... Page 16\n                    Recommendations 6 through 8:......................................... Page 20\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................ Page 21\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................ Page 23\n          Appendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 24\n          Appendix IV \xe2\x80\x93 Glossary of Terms ................................................................ Page 25\n          Appendix V \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ....................... Page 31\n\x0c            Customer Account Data Engine 2 (CADE 2): System\n          Requirements and Testing Processes Need Improvements\n\n\n\n\n                       Abbreviations\n\nCADE 2          Customer Account Data Engine 2\nDI              Database Implementation\nDP              Daily Processing\nFIPS            Federal Information Processing Standards\nIMF             Individual Master File\nIRM             Internal Revenue Manual\nIRS             Internal Revenue Service\nNIST SP         National Institute of Standards and Technology\n                Special Publication\nPMO             Program Management Office\nReqPro          Rational Requisite Pro\nRTVM            Requirements Traceability Verification Matrix\nTS1             Transition State 1\n\x0c                        Customer Account Data Engine 2 (CADE 2): System\n                      Requirements and Testing Processes Need Improvements\n\n\n\n\n                                            Background\n\nIn January 2010, the Internal Revenue Service (IRS) Commissioner signed the Program Charter\nauthorizing the formation of the Customer Account Data Engine1 2 (CADE 2) Program to build\non the substantial progress the current CADE processing platform had accomplished and to\nleverage lessons learned to date. The IRS\nInformation Technology organization2 has a lead         The CADE 2 Program is critical to the\nrole in developing and implementing the CADE 2          IRS\xe2\x80\x99s mission and its most important\nsystem. The CADE 2 Program was also created to           information technology investment.\naddress the risks of the current CADE approach and\nto implement fundamental changes to the core IRS\nbusiness systems. The CADE 2 Program should achieve defined goals and manage and integrate\nall the required components such as enhancement projects, new and legacy applications, business\nprocesses, organizational changes, and policy and procedure modifications.\nThe CADE 2 Program Management Office\xe2\x80\x99s (PMO) approach for delivery of the CADE 2\nProgram is a functional and technical progression through two transition states to a target state.\nTransition State 1 (TS1) has two main purposes: 1) the Database Implementation (DI) project is\nintended to establish a relational database that will house all individual taxpayer accounts and\nprovide the ability for IRS employees to view the updated account information online and 2) the\nDaily Processing (DP) project is intended to provide individual taxpayer account information to\nselect external systems on a daily basis as opposed to the current weekly basis. The IRS\nimplemented the daily processing portion of TS1 in January 2012. The database portion of TS1\nwill follow daily processing. Transition State 2 is expected to address financial material\nweaknesses and build or modify existing applications to directly interact with the CADE 2\ndatabase. The target state for the CADE 2 system entails completing the transition of all planned\nInformation Technology applications and realizing the business benefits expected with the\nsystem.\nWithin the IRS Information Technology organization, the Application Development Enterprise\nSystems Testing organization, in partnership with the CADE 2 PMO, is responsible for planning\nand executing the testing activities required for verifying and validating the overall TS1 solution.\nThe Enterprise Systems Testing CADE 2 Testing Integration Office was established expressly to\nsupport the CADE 2 Program and is responsible for planning, scheduling, coordinating, and\nreporting on all CADE 2 system testing activities. CADE 2 testing processes are coordinated at\n\n\n1\n See Appendix IV for a glossary of terms.\n2\n As of July 1, 2012, the Modernization and Information Technology Services organization officially changed its\nname to the IRS Information Technology organization.\n                                                                                                          Page 1\n\x0c                         Customer Account Data Engine 2 (CADE 2): System\n                       Requirements and Testing Processes Need Improvements\n\n\n\nthe program level, and the TS1 comprehensive test schedule is maintained in the Individual\nMaster File (IMF) Schedule. The Cybersecurity organization is an Enterprise Systems Testing\norganization test service partner3 responsible for conducting security testing activities designed\nto ensure the system\xe2\x80\x99s security safeguards are in place and functioning as intended.\nThis review was requested by the Chief Technology Officer and was performed at the IRS\nInformation Technology organization facilities in New Carrollton, Maryland; Memphis,\nTennessee; and Martinsburg, West Virginia, during the period June 2011 through June 2012.\nDuring audit fieldwork, we concurrently advised CADE 2 testing officials when issues were\nidentified and suggested corrective actions. We also communicated preliminary audit results and\nrecommendations for improvement to the Associate Chief Information Officer for Modernization\n\xe2\x80\x93 Program Management Office on October 7, 2011, December 12, 2011, and February 16, 2012.\nWe conducted this performance audit in accordance with generally accepted government\nauditing standards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions\nbased on our audit objective. We believe that the evidence obtained provides a reasonable basis\nfor our findings and conclusions based on our audit objective. Detailed information on our audit\nobjective, scope, and methodology is presented in Appendix I. Major contributors to the report\nare listed in Appendix II.\n\n\n\n\n3\n A test service partner is an organization external to the Enterprise Systems Testing organization that performs tests\nfor the CADE 2 Program, through a test brokering agreement.\n                                                                                                              Page 2\n\x0c                         Customer Account Data Engine 2 (CADE 2): System\n                       Requirements and Testing Processes Need Improvements\n\n\n\n\n                                      Results of Review\n\nThe Internal Revenue Service Performed Extensive Testing, Planned\nRisk Reduction, and Implemented Controls Over CADE 2 Transition\nState 1 System Development\nThe Department of the Treasury procedures for information technology strategic planning and\nportfolio management require bureaus to establish and maintain development processes and\nprocedures to ensure effective planning and execution of development activities and use of a\nstandardized systems development life cycle methodology. The IRS relies on its Enterprise Life\nCycle methodology to guide systems development activities, which include system testing. Our\nreview of CADE 2 TS1 testing activities considered the performance of extensive testing,\nindependent assessments from two contractors, performance of simulation exercises, and\nimproved controls to reduce risk and ensure the success of the CADE 2 system.\n\nThe IRS performed extensive testing of CADE 2 TS1\nThe IRS performed several types of testing, including the Accessibility Test,4 User Acceptance\nTest, Systems Acceptance Test, Final Integration Test Phase 1, Final Integration Test Phase 2\n(2012 Filing Season), Developer Security Testing, Source Code Security Review, and\nVulnerability Detection Scans prior to the implementation of daily processing in January 2012.\nThe IRS implemented Final Integration Test Phase 1 as an additional testing process to decrease\nthe risks of adverse impact on the 2012 Filing Season. The purpose of Final Integration Test\nPhase 1 was to demonstrate that the CADE 2 programs would work correctly in a\nnear-production environment. Final Integration Test Phase 1 also allowed IRS executives\nsufficient time to make any necessary contingency decisions.\n\nIndependent contractor assessments identified risks and concerns\nThe IRS contracted with two consulting firms to perform independent assessments of the\nCADE 2 system to identify concerns and areas of risk that needed mitigation. One of the\ncontractor\xe2\x80\x99s assessments determined that the Systems Acceptance Test was behind schedule,\ncontinued to experience delays, and reported that less than one-half of the test routines were\nexecuted. This resulted in the IRS adding test resources and extending the timelines for Systems\nAcceptance Test delivery to December 30, 2011. Additionally, the assessment determined that\n\n4\n Accessibility Testing is required by Federal agencies to maintain a technical environment that is accessible to\nemployees with disabilities and to the public at large. As a Federal agency, the IRS must ensure all information\ncontent and systems comply with mandated technical and functional performance criteria.\n                                                                                                             Page 3\n\x0c                       Customer Account Data Engine 2 (CADE 2): System\n                     Requirements and Testing Processes Need Improvements\n\n\n\noperational testing did not support the IRS\xe2\x80\x99s ability to handle a full weekly cycle in the allotted\ntime. The IRS responded by reviewing cycle times during an early January 2012 tax processing\nrun. By implementing specific recommendations from the contractor assessments, the IRS\nreduced filing season risks. With this action, the IRS was able to utilize the independent\nassessment reports to take necessary steps toward developing confidence and ensuring readiness\nfor the TS1 deployment in January 2012.\n\nThe IRS performed simulated exercises to identify potential issues that could\noccur during the 2012 Filing Season\nThe IRS conducted CADE 2 processing simulation exercises to identify and correct potential\nbusiness processing issues. Tabletop exercises validated the processes and procedures that\nwould be executed for TS1 during the 2012 Filing Season. We observed five tabletop exercises\nand determined that the IRS identified potential CADE 2 processing problems and developed\naction items to address these concerns.\nFor example, one tabletop session looked at IMF processing in which the participants learned to\nidentify and correct any potential tax processing issues prior to the January 2012 implementation\nof the CADE 2 DP project application. In one scenario for which a typical computer file was not\nreceived during the processing day, the participant learned how to correct the problem within the\nsame day and still complete the processing. After tabletop sessions, action items are reviewed,\nvalidated, and assigned during session debriefs. The IRS also subsequently tracks the status of\nthe action items to ensure completion.\n\nThe IRS implemented controls over the CADE 2 Program\nThe Chief Technology Officer also implemented corrective actions to address our prior audit5\nrecommendations. Controls were implemented to help prevent CADE 2 Program stakeholders\nfrom removing and working on CADE 2 customer requirements outside of the Rational\nRequisite Pro (ReqPro) application and to help them use this tool to fully manage the creation\nand revisions of requirements. To accomplish this, the IRS provided training on ReqPro, held\nmonthly user group training sessions on advanced ReqPro topics, and ensured that the CADE 2\nrequirements were input into ReqPro.\nThe IRS also ensured requirements were managed in ReqPro prior to test execution. To\naccomplish this, the CADE 2 PMO held weekly Integrated Requirements Team meetings with all\ndelivery partners to identify and mitigate requirement gaps and to help ensure requirements were\ntraced within ReqPro. The benefits of these corrective actions were intended to help ensure\nReqPro is utilized appropriately to manage CADE 2 requirements.\n\n\n5\n Treasury Inspector General for Tax Administration, Ref. No. 2011-20-127, Customer Account Data Engine 2\nProgram Management Office Implemented Systems Development Guidelines; However, Process Improvements Are\nNeeded to Address Inconsistencies (Sept. 2011).\n                                                                                                  Page 4\n\x0c                     Customer Account Data Engine 2 (CADE 2): System\n                   Requirements and Testing Processes Need Improvements\n\n\n\nRequirements Management Controls Need Improvement to Ensure\nLong-Term Success of the CADE 2 Program\nRequirements are used to define specific business and technical functionalities that are needed\nfrom a system. Traceability is a key component of requirements management and involves the\nability to describe and trace the life of a requirement from its source and through the complete\ntesting life cycle, in both a forward and backward direction. The CADE 2 Requirements\nManagement Plan and Internal Revenue Manual (IRM) 2.6.1, Product Assurance \xe2\x80\x93 Test,\nAssurance & Documentation Standards and Procedures, provide guidelines for development of\nrequirements and tracing those requirements to their sources and to test cases. IRM 2.6.1 also\ndefines the testing life cycle and details when a Requirements Traceability Verification Matrix\n(RTVM) is to be developed in relation to when test cases are to be developed and executed. The\nRTVM and test cases should be developed before initiation of testing activities, and the matrix\nshould be updated and accurately maintained throughout the requirements management and\ntesting processes.\nThe ReqPro automated tool is the standard, within the IRS Enterprise Architecture, for\nrequirements management. All CADE 2 Program, project, and stakeholder personnel should use\nReqPro to create, manage, and control requirements and to maintain traceability across the\nProgram and projects. ReqPro can generate an RTVM to record and track requirements.\nThe CADE 2 PMO established a ReqPro repository to manage and baseline all CADE 2\nrequirements. However, the CADE 2 PMO did not develop and deliver a program-level RTVM\nprior to initiating testing activities to ensure the Enterprise Systems Testing organization\nsubsequently traced the CADE 2 requirements to test cases and test case results. Instead, the\nCADE 2 PMO first allocated the requirements to the Applications Development organization.\nSubsequently, the Applications Development organization mapped the requirements to the\nUnified Work Request document and allocated these requirements to the appropriate teams. The\nrequirements were then decomposed into specific CADE 2 requirements.\nAccording to discussions and documentation provided by the IRS, the Applications Development\norganization teams developed approximately 40 project-level RTVMs with these requirement\ndetails and delivered the requirements via the RTVMs to the Enterprise Systems Testing\norganization and the CADE 2 testing partners. The Enterprise Systems Testing organization and\nthe CADE 2 testing partners did adhere to the IRS standard of tracing CADE 2 requirements to\ntest cases in the RTVMs, and they further developed these RTVMs by adding test data such as\ntest cases and test results.\nThe CADE 2 PMO was responsible for verifying the Enterprise System Testing organization\xe2\x80\x99s\ntraceability work. Therefore, the Enterprise System Testing organization delivered the final\nRTVMs to the CADE 2 PMO. The CADE 2 PMO relied on a manual, ad hoc process to verify\nwhether CADE 2 requirements had been traced to test cases by the Enterprise Systems Testing\norganization. However, we found that the CADE 2 PMO did not complete this verification\n                                                                                          Page 5\n\x0c                     Customer Account Data Engine 2 (CADE 2): System\n                   Requirements and Testing Processes Need Improvements\n\n\n\nprocess prior to the implementation of the CADE 2 DP project in January 2012. According to\nthe CADE 2 Requirements Measures and Metrics report dated January 17, 2012, there are a total\nof 2,317 approved CADE 2 TS1 customer requirements, of which 468 (20 percent) requirements\nwere specifically related to the DP project. According to this same report, when the DP project\nwas implemented in January 2012, the CADE 2 PMO had only verified 53 (11 percent) of the\n468 DP specific requirements through its manual, ad hoc process.\nThe CADE 2 PMO did not complete this verification process prior to the implementation of the\nDP project because of numerous associated issues with the RTVMs provided by the Enterprise\nSystems Testing organization. For example, CADE 2 RTVMs were grouped with others that\nwere not related to the CADE 2 Program. This necessitated that the PMO complete a difficult\nprocess to determine which RTVMs were related to the CADE 2. Further, after the PMO\nascertained which RTVMs were related to the CADE 2, it was determined that the CADE 2\nRTVMs themselves also included other requirements and test cases that were not related to the\nCADE 2 Program. To address this challenge, the PMO then initiated another difficult process to\ndelineate the CADE 2-related requirements and test cases needed. As a result, the IRS did not\nhave sufficient assurance that all approved customer requirements were included in test cases\nand tested prior to the implementation of the DP project in January 2012.\nIn addition, the process to ensure all requirements were traced to test cases was complicated by\nuse of new tools for requirements management and test case management. This included ReqPro\nfor managing all CADE 2 requirements and Rational Quality Manager for developing and\nmanaging a portion of the CADE 2 test cases. Control over CADE 2 requirements and test cases\nwas also complicated because one suite of interacting automated tools was not being fully used\nto develop, manage, and bidirectionally trace requirements and test cases or to monitor, manage,\nand bidirectionally trace test case defects with test cases and requirements. The CADE 2 PMO\nand CADE 2 testing partners are using a mixture of manual processes and automated tools that\ndo not interact and bidirectionally trace in an automated fashion.\nWithout program-level traceability between the thousands of CADE 2 requirements and test\ncases, the IRS faces increased risks that some requirements may not be included in test cases and\nbe tested. As a result, the possible impact of incomplete, missing, or invalid requirements could\nhave an adverse impact on CADE 2 functionality and successful implementation in the long\nterm. Further, implementing this important management control would help to ensure taxpayer\xe2\x80\x99s\ntrust in this IRS system.\n\n\n\n\n                                                                                          Page 6\n\x0c                     Customer Account Data Engine 2 (CADE 2): System\n                   Requirements and Testing Processes Need Improvements\n\n\n\nRecommendations\nThe Chief Technology Officer should ensure:\nRecommendation 1:\n   a. Requirements and corresponding test cases are identified and sufficiently traced,\n      managed, and tested prior to the CADE 2 DI project implementation to ensure the\n      CADE 2 system operates as intended.\n   b. Enhanced oversight of traceability controls are implemented enterprise-wide. This\n      includes developing a program-level RTVM prior to the test Initiation Phase of\n      IRM 2.6.1 and updating that program-level RTVM to include test cases and final tests\n      results. This process should be formally documented.\n   c. The CADE 2 PMO provides enhanced oversight of the traceability controls. This\n      includes developing and providing a program-level RTVM prior to the test Initiation\n      Phase of IRM 2.6.1, and that the program-level RTVM is updated to include test cases\n      and final tests results. This process should be formally documented.\n       Management\xe2\x80\x99s Response: The IRS agreed with Recommendation 1a. The IRS\n       stated it will ensure that CADE 2 requirements and corresponding test cases are identified\n       and sufficiently traced, managed, and tested prior to the CADE 2 Database\n       Implementation.\n       However, the IRS disagreed with Recommendations 1b and 1c. The IRS stated it has not\n       committed to enterprise-wide program-level RTVMs or program-level testing IRMs for\n       using program RTVMs. The IRS agreed with the principle of program-level traceability,\n       but it does not agree that it needs to be implemented through an RTVM artifact, and that\n       it has already complied with Recommendation 1c with the development of a CADE 2\n       Program RTVM. The IRS also disagreed with the two recommendations based on what\n       it believes to be inaccuracies in the content of the recommendations, in that the RTVMs\n       are prepared during the test Initiation Phase, not before the test Initiation Phase.\n       Office of Audit Comment: We maintain an enterprise-wide RTVM and policy are\n       necessary to strengthen oversight of traceability controls for the CADE 2. Also, the IRS\n       states RTVMs are prepared during the test Initiation Phase, not before. However, as\n       stated in the report, we refer to the Requirements Traceability Matrix and RTVM as the\n       \xe2\x80\x9cRTVM\xe2\x80\x9d for clarification purposes. The program-level RTVM should be maintained\n       throughout the requirements management and testing processes to ensure complete\n       functionality and long-term successful implementation for the CADE 2 system.\n\n\n\n\n                                                                                          Page 7\n\x0c                            Customer Account Data Engine 2 (CADE 2): System\n                          Requirements and Testing Processes Need Improvements\n\n\n\nRecommendation 2:\n       a. A standard suite of integrated, automated tools is implemented enterprise-wide to enable\n          programs and projects to develop and manage requirements, develop and manage test\n          cases, bidirectionally trace requirements and test cases, monitor and manage test case\n          defects, and bidirectionally trace test case defects with test cases and requirements.\n       b. A standard suite of integrated, automated tools is implemented for CADE 2 Transition\n          State 2 and all future CADE 2 projects to develop and manage requirements, develop and\n          manage test cases, bidirectionally trace requirements and test cases, monitor and manage\n          test case defects, and bidirectionally trace test case defects with test cases and\n          requirements.\n           Management\xe2\x80\x99s Response: The IRS disagreed with Recommendations 2a and 2b.\n           The IRS stated it has not committed to a policy, or funded a project, to standardize and\n           implement tools on an enterprise-wide level, and that neither recommendation offers any\n           flexibility for projects that are not good candidates for automated tools. Automated tools\n           are not always necessary to maintain control over requirements and test case\n           management, traceability, etc., so the IRS does not agree with our prescribing their use.\n           Office of Audit Comment: As discussed with CADE 2 officials during the audit\n           closing conference, it is important that this recommendation be fully addressed and we\n           delineated the recommendation into two parts for clarification on the weaknesses\n           contributing to our finding and also for tracking purposes. We maintain that a suite of\n           integrated automated tools is needed to ensure that all requirements are included in test\n           cases and appropriately tested for the CADE 2 system. Recommendation 2a addresses\n           the need for the IRS to establish an enterprise approach to system requirements, including\n           integrated, automated testing tools. Recommendation 2b addresses the need for such\n           integrated, automated tools to support all phases of the CADE 2 system and to better\n           ensure long-term success for this ground breaking mission critical system.\n\nTest Management Controls Need Improvement to Ensure Long-Term\nSuccess of the CADE 2 Program\nThe IRS implemented the CADE 2 testing processes to validate that the TS1 solution would\nfunction as designed and meet the IRS\xe2\x80\x99s tax processing objectives once the system is\nimplemented during the 2012 Filing Season. Adequate testing helps ensure that costly retrofits\nare avoided after a system is implemented. According to IRS guidelines, CADE 2 requirements\nmust be reviewed and accepted before they are approved for testing. We judgmentally6 reviewed\n49 of 3,083 approved system requirements and 48 of 1,530 unapproved system requirements as\n\n\n6\n    A judgmental sample is a nonstatistical sample, the results of which cannot be used to project to the population.\n                                                                                                                Page 8\n\x0c                        Customer Account Data Engine 2 (CADE 2): System\n                      Requirements and Testing Processes Need Improvements\n\n\n\nof September 1, 2011. The 48 unapproved requirements were deferred, proposed, rejected, or\ntransferred.7 Our review of requirements testing activities identified several test management\nconcerns that could affect the success of the CADE 2 Program.\n\nDocumenting test cases and test results\nIRM 2.6.1 provides guidelines for testing and is used as a guide to develop detailed test plans for\nthe CADE 2 system. The IRM states that test cases should be developed to support requirements\ntesting, and IRS testers should obtain and maintain evidence of the actual test results. The test\ncases should include the requirements being tested, expected results, and documentation of\nwhether the requirements passed or failed during test execution. The tester should also maintain\nevidence to validate the actual test results, which could include computer screen prints, input and\noutput data files, and system logs. During the test execution phase, test results should be\nreviewed and validated.\nIn 12 (24 percent) of the 49 approved requirements that we reviewed, the IRS did not ensure test\ncases were developed. Also, in 14 (29 percent) of the 49 approved requirements we reviewed,\nthe IRS could not always provide objective evidence the requirements were sufficiently tested\nprior to the deployment of CADE 2 TS1 in January 2012.\nDeveloping test cases for the infrastructure requirements \xe2\x80\x93 The 12 requirements sampled which\ndid not have test cases were infrastructure requirements. IRS management advised us that there\nare two types of infrastructure requirements affecting the CADE 2 system:\n    \xef\x82\xb7   Process Automation and Monitoring Requirements \xe2\x80\x93 requirements that deal with the\n        scheduling and monitoring of CADE 2 Programs.\n    \xef\x82\xb7   Environmental Design Requirements \xe2\x80\x93 requirements that deal with the creation of\n        environments in which to develop, test, and implement final CADE 2 systems and\n        business functionality.\n\n\n\n\n7\n  The requirement populations mentioned here do not include performance and capacity requirements, which were\nreviewed in the Treasury Inspector General for Tax Administration, Ref. No. 2012-20-051, Customer Account Data\nEngine 2 Performance and Capacity Is Sufficient, but Actions Are Needed to Improve Testing (May 2012).\n                                                                                                       Page 9\n\x0c                       Customer Account Data Engine 2 (CADE 2): System\n                     Requirements and Testing Processes Need Improvements\n\n\n\nFigure 1 provides examples of specific infrastructure requirements that did not have a test case.\n       Figure 1: Infrastructure Requirements That Did Not Have a Test Case\n\n        Abbreviated Requirement Description                               Test Type and Project\n The Monitoring Agent/Probe shall systematically capture          Processing Automation and Monitoring\n \xe2\x80\x9cTime Finish\xe2\x80\x9d for batch process\xe2\x80\xa6in standardized machine          Infrastructure/DP\n readable format.\n The Correlation Engine shall systematically forward alerts       Processing Automation and Monitoring\n when \xe2\x80\x9cOut of Balance\xe2\x80\x9d is determined to be in\xe2\x80\xa6IMF                 Infrastructure/DP\n Pre-Cutoff Processing.\n The Monitoring Agent/Probe shall systematically capture          Processing Automation and Monitoring\n \xe2\x80\x9cTime Start\xe2\x80\x9d for batch process\xe2\x80\xa6in standardized machine           Infrastructure/DP\n readable format.\n Infrastructure shall provide capability for the IMF to send      Environmental Design Infrastructure/DP\n Revenue Accounting Control System Data to Redesign\n Revenue Accounting Control System on a daily basis.\n The system shall support automated and manual                    Environmental Design Infrastructure/DI\n configuration of setup and workflow information.\n The system should rely primarily on existing platforms,          Environmental Design Infrastructure/DI\n communications, and technologies already operating               and DP\n within the enterprise.\n Infrastructure shall provide capability for the IMF to send      Environmental Design Infrastructure/DP\n TRANSCRIPT\xe2\x80\xa6to CADE 2 Transcripts-IMF on a daily\n basis.\n The system shall provide storage                                 Environmental Design Infrastructure/DP\n management\xe2\x80\xa6mainframe platform.\n The system shall have development environments.                  Environmental Design Infrastructure/DI\nSource: CADE 2 ReqPro extract as of September 1, 2011, and information from the IRS related to the selected\nrequirements samples.\n\nThere were four processing automation and monitoring requirements within our audit sample\nthat did not have verifiable test cases. We were unable to determine whether these were the\ncorrect test cases because the unique processing automation and monitoring requirement\nnumbers were not included in the test cases, nor were the specific IRS processing runs included\nin the requirements. Instead, the test cases included other processing runs, and the IRS testers\nrecorded that those processing runs passed during test execution. Therefore, we were unable to\nverify these were the correct test cases for testing the requirements in question.\n\n\n                                                                                                      Page 10\n\x0c                     Customer Account Data Engine 2 (CADE 2): System\n                   Requirements and Testing Processes Need Improvements\n\n\n\nThe remaining eight requirements from our sample that did not have test cases were for\nenvironmental design requirements. IRS management stated that test cases were not applicable\nto these environmental design requirements because they are more appropriately validated\nthrough the use of various infrastructure documents. These documents include Government\nequipment lists developed to identify the hardware and software purchases needed to prepare the\nenvironments and environmental checklists used to provide evidence that the equipment has been\ninstalled and is ready for use. The IRS testing staff stated they purchased the equipment needed\nfor the environments that would support the CADE 2 system, installed the equipment, and\nperformed preliminary tests to ensure the equipment was ready for use to fulfill its processing\nrequirements. However, the infrastructure documents, in some instances, do not trace back to the\nspecific environmental design requirements they are intended to verify. Also, when the\nenvironmental design requirements included an IRS processing element, the infrastructure\ndocuments did not provide evidence that the processing capabilities, such as transmitting data\ndaily between IRS systems, were tested prior to implementing the system.\nDuring our review, the IRS did not believe that the methods it relied on to verify environmental\ndesign requirements were deficient. However, IRS officials acknowledged our concern,\nparticularly with the environmental design requirements that have IRS processing features, and\nthe IRS agreed to perform additional research on applicable guidelines for testing these types of\nsystems development requirements. We believe that improved controls are needed in this area to\nensure complete testing of the CADE 2 infrastructure and to avoid possible adverse effects on\nCADE 2 functionality.\nDocumenting evidence of test results \xe2\x80\x93 The IRS could not always provide actual test results\nevidence for the 14 requirements we reviewed. Additionally, five of these 14 requirements\ncovered DP project activities that did not include an infrastructure requirement that was\nimplemented in January 2012. The remaining nine were infrastructure requirements for\nprocessing automation and monitoring (five requirements) and environmental design (four\nrequirements). The IRS did not provide any evidence to validate the five processing automation\nand monitoring requirements. The IRS did not ensure testers were following IRM guidelines to\nobtain and maintain objective evidence such as screen prints and input and output files to verify\nthat requirements were sufficiently tested. As a result, there was not an adequate system in place\nto provide actual test results.\nFor the four environmental design requirements, we determined that the IRS provided valid\nevidence of test results when we could reasonably identify traceability of the requirements to\ndesign documentation, the equipment purchased, and ready-for-use checklists. However, when\nthe environmental design requirements included IRS processing elements, the documentation\nprovided by the IRS did not provide any evidence that the processing capabilities had been\ntested. For example, all four of the environmental design requirements contained some\nprocessing capabilities. However, the design documents, Government equipment lists, and\nready-for-use checklists did not provide evidence that these requirements were tested.\n\n                                                                                          Page 11\n\x0c                        Customer Account Data Engine 2 (CADE 2): System\n                      Requirements and Testing Processes Need Improvements\n\n\n\nIf the documents used to verify actual test results are not available, then the IRS cannot verify the\nadequacy of its systems testing activities. In addition, we could not verify the results of these\nrequirements prior to the implementation of CADE 2 TS1 in January 2012.\nIRS management acknowledged that testers should obtain evidence to validate actual test results\nin accordance with the IRM. After we presented this finding, the IRS initiated a review of IRM\nguidelines and identified inconsistencies in the procedures for obtaining evidence of actual test\nresults. As a result, the IRS agreed that the IRM may need clarification in regards to obtaining\nevidence to validate actual test results.\nManagement Action: Following our audit fieldwork, the IRS provided us with some\ndocumentation for DP project test results.\n\nDetermining the testability of requirements\nThe CADE 2 Requirements Management Plan includes the guidelines for developing quality\nrequirements, including ensuring the requirements are \xe2\x80\x9cspecific enough to implement and test.\xe2\x80\x9d\nOur review identified that six (12 percent) of 49 sampled approved requirements could not be\ntested. The IRS did not ensure that quality review processes, like Customer Technical Reviews,\neffectively identified and addressed requirements that could not be tested. For example,\nrequirements that could not be tested were: 1) written at a high-level; 2) not specific as written,\nbut were deemed to be covered by many other requirements and test cases; 3) included to update\noperating procedures; and 4) a request from the IRS business unit to capture bad data from the\nIMF. Figure 2 describes requirements from our audit sample that could not be tested and the\nreasons provided by the IRS for not testing the requirements.\n                     Figure 2: Requirements That Could Not Be Tested\n\n    Requirement Description               Project Reason the Requirement Could Not Be Tested\nThe system shall flag data that are the     DI    The requirement is not specific as written. This is a\nincorrect classification for correction           request from the business unit to capture unknown\nduring the load if it is needed for               \xe2\x80\x98bad\xe2\x80\x99 data from the IMF. DI project development\ntax/financial obligation.                         created tables and provided the captured data to the\n                                                  business unit for review. There is no test case\n                                                  required.\nThe system shall transform input data       DI    This requirement is not specific as written. The IRS\nto the format required by the CADE 2              stated testing for this requirement is covered by many\ndatabase.                                         other requirements, so there is no test case for this\n                                                  specific requirement identification number.\n\n\n\n\n                                                                                                Page 12\n\x0c                         Customer Account Data Engine 2 (CADE 2): System\n                       Requirements and Testing Processes Need Improvements\n\n\n\n\n     Requirement Description                Project Reason the Requirement Could Not Be Tested\n The system shall utilize the automated        DP       This requirement involves current processing and a\n scheduling system to schedule                          test case is not required.\n transaction input files for processing\n daily.\n The system shall ensure that the              DP       This was not a true requirement that can be\n Integrated Data Retrieval System                       developed. It is a requirement to prompt\n synchronizes with the current                          coordination. The CADE 2 PMO has coordinated\n processing cycle.                                      with all stakeholders to ensure that the Integrated\n                                                        Data Retrieval System and all other downstream\n                                                        systems are in sync with the current processing cycle.\n The organization shall save all               DP       This is a procedural requirement to have operating\n production test results for two years.                 procedures updated to reflect the change. No\n                                                        associated test case is needed.\n The system shall notify downstream            DP       This requirement could not be tested at this high\n systems of daily updates.                              level, and there is no test case associated. This would\n                                                        be covered under other specific requirements.\nSource: CADE 2 ReqPro extract as of September 1, 2011, and information from the IRS related to the selected\nrequirement samples.\n\n During the audit, IRS management acknowledged the finding and agreed to take needed steps to\n clarify the IRM on the development of requirements. The inclusion of requirements that could\n not be tested could result in insufficiently developed test cases. When the IRS creates test cases\n for requirements that are not specific enough to test, the IRS does not have assurance that these\n test cases are appropriate. If the results from inappropriate test cases are accepted, they could\n adversely affect the operation of the CADE 2 system.\n\n Deferring requirements without following the change management process\n The CADE 2 Requirements Management Plan indicates that formal change documents should be\n prepared when a requirement is deferred, such as change requests and impact assessments. For\n the CADE 2 Program, change requests must be approved by the Change Control Board. Further,\n assessments are needed to identify the impact of deferred requirements on other requirements\n and system functionality. We identified 12 approved requirements and three proposed\n requirements which had been deferred outside of these change management guidelines. This\n included deferred requirements for forwarding alerts when outbound dollar values reach or\n exceed predetermined thresholds. Other deferred requirements related to capabilities to capture\n outbound transaction counts and inbound dollar values. The IRS did not ensure the required\n change requests and impact assessments were prepared prior to deferring these requirements.\n\n\n\n                                                                                                        Page 13\n\x0c                     Customer Account Data Engine 2 (CADE 2): System\n                   Requirements and Testing Processes Need Improvements\n\n\n\nIRS staff advised us that it did not prepare formal documentation for these deferred requirements\nbecause the requirements were not deferred to another release (such as CADE 2 Transition\nState 2). Without following the established change management guidelines to include the\npreparation of impact assessments, users and stakeholders are unable to ascertain the potential\nimpacts of the deferred requirements on other CADE 2 requirements and system functionality.\nManagement Action: The IRS acknowledged that the Requirements Management Plan requires\nthe change management process be fully followed in making decisions to defer requirements.\nHowever, the CADE 2 requirement procedures specifically refer to requirements being deferred\nto a future release. The requirements being deferred in our finding were not deferred to a future\nrelease. IRS management stated, however, that our inquiry highlighted a gap in their process\nregarding deferral of requirements within a release. As a result, the IRS plans to expand its\nchange management processes to include deferring and tracking requirements within a release.\nThis action should ensure that all stakeholders have assessed the potential impacts.\n\nEnsuring testers follow established guidelines during test execution\nWe observed several IRS testers to ensure CADE 2 tests were successfully executed according to\nguidelines provided in IRM 2.6.1. These procedures require IRS testers to document the results,\nfollow the test scripts, update the test cases during test execution, and maintain sufficient\nevidence so the results of testing can be verified during test execution. During 11 on-site test\nobservations, testers: 1) did not always consider the most recent changes prior to executing a test\ncase, 2) did not update the test script with observed changes until after the test was executed,\n3) experienced a slow response and were unable to access Rational Quality Manager when ready\nto record tests results, and 4) did not always have access to the Rational Quality Manager\nreporting functionality. These conditions indicate that IRS management did not ensure its testers\nconsistently followed required IRM guidelines. The risk of incomplete or invalid testing is\nincreased when testers do not follow required test execution practices. Also, invalid testing\ncould adversely affect CADE 2 functionality.\nManagement Action: IRS management stated that the Rational Quality Manager pilot team\nprovided feedback showing that the Rational Quality Manager reporting function was\nperforming adequately and availability and accessibility had been good. In addition, the\nreporting component of Rational Quality Manager was being implemented and configured at the\nsame time as our audit fieldwork.\n\n\n\n\n                                                                                           Page 14\n\x0c                     Customer Account Data Engine 2 (CADE 2): System\n                   Requirements and Testing Processes Need Improvements\n\n\n\nRecommendations\nThe Chief Technology Officer should ensure:\nRecommendation 3: IRM guidelines are followed, specifically that:\n   a. Test cases and other appropriate documentation are properly developed for infrastructure\n      requirements and all infrastructure documentation includes complete traceability to the\n      requirements being tested and the testing results.\n   b. IRS testers obtain and maintain documentation to verify test results.\n   c. Test execution practices are consistent prior to the CADE 2 DI project implementation.\n       Management\xe2\x80\x99s Response: The IRS agreed with Recommendations 3b and 3c. The\n       IRS stated it will ensure that IRM guidelines are followed, that IRS testers obtain and\n       maintain documentation to verify test results, and that test execution practices are\n       consistent prior to CADE 2 DI project implementation.\n       However, the IRS disagreed with Recommendation 3a. The IRS believes that appropriate\n       documentation already exists for infrastructure requirements with the association of\n       Government Equipment Lists and environmental checklists that provide sufficient\n       assurance that infrastructure components have been acquired and implemented.\n       Office of Audit Comment: While the IRS\xe2\x80\x99s documentation does verify that\n       infrastructure components have been acquired and implemented, we maintain that\n       additional infrastructure documentation is needed to verify that processing requirements\n       have been tested and to better ensure complete CADE 2 functionality and successful\n       long-term implementation of this critical system.\nRecommendation 4: Quality review processes, including Customer Technical Reviews,\nidentify, correct, or remove requirements that could not be tested prior to the implementation of\ntesting activities.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The IRS\n       stated it will develop procedures to ensure that quality review processes identify, correct,\n       or remove requirements that could not be tested prior to the implementation of testing\n       activities, which will include Customer Technical Reviews.\nRecommendation 5: Formal change management processes are implemented for all deferred\nand proposed requirements prior to the CADE 2 DI project implementation.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The IRS\n       stated it will develop procedures to ensure a formal change management process for all\n       deferred and proposed requirements.\n\n\n                                                                                           Page 15\n\x0c                        Customer Account Data Engine 2 (CADE 2): System\n                      Requirements and Testing Processes Need Improvements\n\n\n\nIdentified Security Issues Need to Be Resolved\nThe Security Assessment and Authorization process is designed to ensure that an information\nsystem will operate with the appropriate management review, that there is ongoing monitoring of\nsecurity controls, and that reaccreditation occurs periodically. As part of this process, the\nCybersecurity organization conducted a CADE 2 Security Control Assessment to ensure the\nCADE 2 system\xe2\x80\x99s security safeguards are in place and functioning as intended. The Security\nControl Assessment is an analysis of nontechnical and technical security controls required to\nprotect information in an operational environment. Our review focused on Developer Security\nTesting, which was part of the CADE 2 Security Control Assessment.\nThe Cybersecurity organization will conduct the Developer Security Testing activity8 in\ncoordination with other IRS supporting organizations to ensure the CADE 2 TS1 meets the\nestablished security requirements in accordance with IRM guidelines and National Institute of\nStandards and Technology Special Publication 800-53 (NIST SP 800-53), Recommended\nSecurity Controls for Federal Information Systems and Organizations.9 This activity is the\nprocess of exercising one or more system components under specified conditions to compare\nactual test results to expected outcomes. Due to the critical nature of the CADE 2 system, the\nIRS is moving forward with systems security under a short term Authorization to Operate\nthrough July 30, 2012; however, the following issues need to be resolved before the CADE 2\nsystem is placed in service.\n\nManagement of security requirements testing needs improvement\nIRM 2.6.1 provides guidelines for the development of requirements, tracing those requirements\nto their sources and test cases, and execution of test cases. It specifies failed test cases should be\nre-executed in regression testing to ensure no new errors are created by the correction.\nAdditionally, the CADE 2 DI TS1 Developer Security Testing Test Plan provides IRM and\nNIST SP 800-53 requirements guidance for security testing standards and procedures.\nThe CADE 2 Application System Security Plan addressed NIST SP 800-53 security controls;\nhowever, we identified areas for needed improvements in Developer Security Testing.\n    \xef\x82\xb7   Testing of Developer Security Testing requirements \xe2\x80\x93 During sample selection of these\n        requirements, the IRS could not identify and provide complete traceability of test cases to\n        security requirements. The Cybersecurity team performed an analysis tracing test cases\n        to security requirements. As a result, their analysis identified that 219 (72 percent) of\n        303 security requirements were not tested. The Cybersecurity organization noted in\n        meetings with us that their intent was not to test 100 percent of all security requirements\n\n8\n The Cybersecurity organization conducted its Developer Security Testing activity only for the CADE 2 database.\n9\n NIST, NIST SP 800-53 Rev. 3, Information Security: Recommended Security Controls for Federal Information\nSystems and Organizations (Aug. 2009) (includes updates as of May 1, 2010).\n                                                                                                        Page 16\n\x0c                        Customer Account Data Engine 2 (CADE 2): System\n                      Requirements and Testing Processes Need Improvements\n\n\n\n         but to focus on the most critical controls. However, we are concerned with the high\n         percentage of system security requirements not tested at the time of our review.\n     \xef\x82\xb7   Regression testing of failed Developer Security Testing test cases \xe2\x80\x93 Based on our review,\n         the CADE 2 Developer Security Testing End of Test Results Report identified that\n         54 (47 percent) of 115 test cases failed. The 54 failed test cases were categorized into\n         16 findings based on NIST SP 800-53 control identification numbers. Further analysis by\n         the IRS allowed the 16 findings to be grouped into five risks scheduled for completion in\n         February 2012.\nThe IRS did not ensure the testers followed the IRM guidelines for development, tracing, and\ntesting of security requirements. The Cybersecurity organization applied NIST SP 800-53\nDeveloper Security Testing guidance and the IRS\xe2\x80\x99s annual controls assessment methodology to\ndevelop Developer Security Testing test cases, security control traceability, and security testing.\nIn December 2011, the IRS indicated that while not all security requirements would be tested as\npart of its Developers Security Testing, 100 percent of all applicable NIST SP 800-53 security\ncontrols would be tested in the Security Control Assessment before the CADE 2 DI project\nreceived its final Authorization to Operate in July 2012. However, CADE 2 officials\nacknowledged our finding and agreed clarification at the enterprise-wide level is needed to guide\nprocesses for systems security requirements testing. We believe that if test case development,\nsecurity control traceability, and security testing focuses only on required NIST SP 800-53\ncontrols and system components, the risk of missing security requirements could have an adverse\nimpact on CADE 2 functionality and successful implementation. Adequate system security is\nneeded to prevent the loss of Personally Identifiable Information and other sensitive data,\nmaintain taxpayers\xe2\x80\x99 trust, and support tax administration functions within the IRS.\n\nVulnerability detection scans identified critical issues in the database\nmanagement system\nThe IRM states that identified vulnerabilities should be corrected within a specific time period,\nbased on criteria in NIST Federal Information Processing Standards (FIPS) Publication 199,\nStandards for Security Categorization of Federal Information and Information Systems.10 If the\nvulnerabilities are not corrected within the specified time period, the IRS needs to add the\nweaknesses to a Plan of Actions and Milestones so they can be tracked and managed.\nThe IRS introduced the Guardium solution11 to perform database vulnerability detection scans.\nIn December 2011, the IRS performed a Guardium scan on the mainframe database management\nsystem, which included the four CADE 2 environments: 1) Final Integration Test, 2) Systems\n\n\n10\n   NIST, FIPS PUB 199, FIPS Publication: Standards for Security Categorization of Federal Information and\nInformation Systems (Feb. 2004).\n11\n   IBM InfoSphere Guardium\xe2\x80\x99s Vulnerability Assessment solution scans database infrastructures on a scheduled\nbasis to detect vulnerabilities and suggests remedial actions.\n                                                                                                       Page 17\n\x0c                       Customer Account Data Engine 2 (CADE 2): System\n                     Requirements and Testing Processes Need Improvements\n\n\n\nAcceptance Test, 3) Development, and 4) Production. Within this database management system\nare multiple applications and databases, including CADE 2.\nThe Guardium scan identified a total of 282 issues across the four environments. While the\nweaknesses specific to the CADE 2 system could not be identified, the issues identified are\nconsistent within each environment. Identified issues are categorized as critical, major, and\nminor. Of the 282 issues identified, 208 issues are deemed critical. We reviewed only the\ncritical issues identified by the Guardium scan.\n     \xef\x82\xb7   Critical access privilege issues related to users, system accounts, and services with\n         unauthorized access to privilege functionalities account for 202 of the 208 issues.\n     \xef\x82\xb7   Critical issues related to database configuration account for six of the 208 issues. These\n         six configuration issues are related to default databases that were not removed and default\n         ports that were active. The IRM states that default sample databases, along with any\n         associated objects and user accounts, are to be removed. These default databases utilize\n         default user identifications, passwords, and ports, which increase the risk of unauthorized\n         users gaining access to sensitive taxpayer information.\nWe are concerned that the IRS does not have a fully developed enterprise-wide process in place\nto address the database weaknesses identified by the Guardium software. While a formal process\nfor reviewing and resolving the scan results known as the Database Vulnerability Remediation\nProcess has been developed, it has not been finalized or approved. The IRS reports that the\nprocess is currently being refined on Tier 2 systems before application to Tier 1.\nLastly, the IRS should ensure that a Plan of Actions and Milestones is created within 60 days\nafter the final Authorization to Operate for the CADE 2 DI project to correct any database\nvulnerability weakness or accept the risk. If this does not occur, the vulnerabilities cannot be\ntracked and may not be resolved. Again, adequate system security is needed to prevent the loss\nof Personally Identifiable Information and other sensitive data, maintain taxpayers\xe2\x80\x99 trust, and\nsupport tax administration functions within the IRS.\n\nSource code security review testing identified security weaknesses in the Java\nBalance and Control Initialization Code\nEncryption standards are mandatory for all Federal Government systems in accordance with\nFIPS Publication 140-2, Security Requirements for Cryptographic Modules.12 Password policies\nare set by the IRS in Application and Operating System Password Policies, issued November 25,\n2011. In addition, correcting computer source coding issues is a best practice applicable to the\nCADE 2 system.\n\n12\n  NIST, FIPS PUB 140-2, FIPS Publication: Security Requirements for Cryptographic Modules (May 2001). This\npublication provides a standard to be used by Federal organizations when these organizations specify that\ncryptographic-based security systems are to be used to provide protection for sensitive or valuable data.\n                                                                                                  Page 18\n\x0c                     Customer Account Data Engine 2 (CADE 2): System\n                   Requirements and Testing Processes Need Improvements\n\n\n\nThe IRS performed a Source Code Security Review of the JAVA programming code in the\nCADE 2 Balance and Control Module in October 2011. The IRS stated that this module is used\nto initialize the CADE 2 database and will be removed once it is initialized. The code review\nidentified 12 issues. Examples of these weaknesses are:\n   \xef\x82\xb7   Encryption standards compliant with FIPS Publication 140-2 are not being used. The\n       application is using a cryptographic algorithm that is not compliant with Federal\n       requirements. The application is using MD5 to generate a hash of the configuration files.\n   \xef\x82\xb7   Data input validation was not being performed, which introduced standard query\n       language injection problems. Standard query language injection occurs when a user is\n       able to enter malicious data that, when included as part of the query, modify the original\n       query to provide additional functionality not intended by the application. This issue is\n       partially mitigated because the source of the data moving through this module is from the\n       IMF database and not from user input.\n   \xef\x82\xb7   Incorrect logical operators were used in conditional statements, leading to potentially\n       invalid results and inappropriate access. One example provided by the Code Review\n       team indicated that when saving a file located on the server, the application attempts to\n       verify that the file exists and the user has the appropriate privileges to write to the file.\n       However, the code as written treats the condition as an \xe2\x80\x9cOR\xe2\x80\x9d clause, so that only one of\n       the conditions has to be met. Once the program determines that the file exists, it will\n       ignore the rest of the statement and attempt to save the file, which will cause system\n       permission errors if the user does not have write permission on the file.\n   \xef\x82\xb7   Password policy settings required by the IRS were not being used. Although the database\n       credentials are encrypted in the configuration files, the username and password appear to\n       be the same value, which is a violation of IRS password requirements. Additionally,\n       since they are the same value, it would be unlikely that the password being used is\n       sufficient to meet IRS standards because that would mean that the username contained\n       upper case and lower case letters, numbers, and special characters. Further, passwords\n       would need to be changed every 90 days; something that is not true of usernames.\nDiscussions with the IRS in January 2012 indicated that these issues were not yet addressed and\na date to correct the weaknesses had not been scheduled. Throughout this audit we discussed\nwith the IRS the need to better ensure that adequate system security is provided for the CADE 2\nsystem in order to minimize risks with the loss of Personally Identifiable Information and other\nsensitive data, maintain taxpayers\xe2\x80\x99 trust, and support critical tax administration functions.\n\n\n\n\n                                                                                              Page 19\n\x0c                     Customer Account Data Engine 2 (CADE 2): System\n                   Requirements and Testing Processes Need Improvements\n\n\n\nRecommendations\nThe Chief Technology Officer should ensure:\nRecommendation 6: All security requirements and corresponding test cases are identified\nand sufficiently traced, managed, and tested prior to the CADE 2 DI project implementation to\nensure the CADE 2 system operates as intended.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The IRS\n       stated it has implemented a trace relationship capability in the CADE 2 Program\xe2\x80\x99s\n       requirements repository. This capability allows the traceability of security requirements\n       to test case identifiers and provides verification for ensuring that all security requirements\n       for the CADE 2 DI are tested. Moving forward, the IRS plans to input test cases into\n       Rational Quality Manager. Rational Quality Manager will provide an automated means\n       to directly trace test cases to security requirements, thus allowing for proper traceability\n       management for security requirements to test cases.\nRecommendation 7: All database issues identified by the Guardium scan are resolved or an\naction plan is developed with specific corrective actions and time periods.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The IRS\n       stated that the Cybersecurity organization worked with Enterprise Operations using an ad\n       hoc process to triage the initial vulnerability findings, and a formal process is currently\n       under development.\nRecommendation 8: All issues identified by Source Code Security Review scans are\nresolved or an action plan is developed with specific corrective actions and time periods prior to\nthe code being placed into service.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The IRS\n       stated that enterprise-wide, all issues identified by Source Code Security Review scans\n       should be resolved or a remediation action plan be developed prior to putting specific\n       code in service, absent a risk-based decision by the Program Governance Board. The IRS\n       also stated that, in the case of CADE 2 Java Balance and Control Initialization Code, we\n       did not mention in the audit report that an explicit, risk-based decision was made by the\n       CADE 2 Program Governance Board to accept the code weaknesses related to the\n       Program. Since we completed audit fieldwork in January 2012, the IRS has continued to\n       perform secure code reviews within the Program.\n\n\n\n\n                                                                                            Page 20\n\x0c                         Customer Account Data Engine 2 (CADE 2): System\n                       Requirements and Testing Processes Need Improvements\n\n\n\n                                                                                                   Appendix I\n\n          Detailed Objective, Scope, and Methodology\n\nOur overall objective was to determine whether CADE 2 TS1 testing activities were performed\nin accordance with applicable policies and procedures. To accomplish this objective, we:\nI.       Requirements Management \xe2\x80\x93 Determined whether the CADE 2 requirements\n         management activities follow systems development guidelines.\n         A. In accordance with audit recommendations in our CADE 2 PMO report,1 determined\n            the status of requirements and the requirements repository (ReqPro) used to document\n            and control requirements.\n         B. Determined whether a complete RTVM has been developed by the CADE 2 PMO\n            prior to testing, in accordance to IRM 2.6.1.\n         C. For each type of test listed in the audit plan, determined whether the RTVM is\n            updated to reflect test case results.\nII.      Testing and Deployment \xe2\x80\x93 Determined whether the CADE 2 testing activities met IRM\n         guidelines and industry standards.\n         A. Determined whether the Final Integration Test Phase 1, Systems Acceptance Test,\n            Final Integration Test Phase 2 (2012 Filing Season), and User Acceptance Test were\n            conducted, results analyzed, and defects adequately resolved.\n             1. Obtained and reviewed the test plan to ensure it met IRM requirements.\n             2. Determined whether defects identified during testing were resolved.\n             3. Judgmentally2 selected and reviewed 49 of 3,083 approved CADE 2 system\n                requirements and 48 of 1,530 unapproved CADE 2 system requirements to\n                determine whether testing activities complied with IRM guidelines and industry\n                standards. We used a judgmental sample because we were not planning to project\n                our results.\n             4. Obtained and reviewed the Final Integration Test Phase 1 end-of-test report,\n                which contains the final complete test results.\n\n\n1\n  Treasury Inspector General for Tax Administration, Ref. No. 2011-20-127, Customer Account Data Engine 2\nProgram Management Office Implemented Systems Development guidelines; However, Process Improvements Are\nNeeded to Address Inconsistencies (Sept. 2011).\n2\n  A judgmental sample is a nonstatistical sample, the results of which cannot be used to project to the population.\n                                                                                                           Page 21\n\x0c                     Customer Account Data Engine 2 (CADE 2): System\n                   Requirements and Testing Processes Need Improvements\n\n\n\n       B. Conducted on-site test observations of the CADE 2 testing to determine whether\n          adequate resources (such as equipment, staff, etc.) were assigned, system developers\n          were not performing the testing, testers fully completed the test scripts assigned, and\n          tests results were accurately recorded.\nIII.   Security \xe2\x80\x93 Determined whether the System Security Plan for the CADE 2 system\n       included adequate security controls and whether security testing activities performed\n       prior to deployment met NIST and IRM requirements guidance and industry standards.\n       A. Obtained the System Security Plan to determine whether adequate security controls\n          were in place.\n       B. Obtained Developer Security Test testing results to verify that the security controls\n          included in the System Security Plan were successfully tested.\n       C. Obtained Accessibility Test testing results to verify that the security controls included\n          in the System Security Plan were successfully tested.\n       D. For any other security tests identified during the audit, obtained testing results to\n          verify that the security controls adequately met applicable security guidance.\nIV.    Configuration Testing \xe2\x80\x93 Determined the adequacy of the configuration management of\n       the CADE 2 operating system and associated databases in accordance with NIST, IRM,\n       and other Federal guidance.\n       A. Assessed the adequacy of IRS configuration management processes over the CADE 2\n          operating system and associated databases in both test and production environments.\n       B. Interviewed CADE 2 operating system and database management personnel to\n          determine reasons for variances from the standards, if any.\nInternal controls methodology\nInternal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to meet their\nmission, goals, and objectives. Internal controls include the processes and procedures for\nplanning, organizing, directing, and controlling program operations. They include the systems\nfor measuring, reporting, and monitoring program performance. We determined the following\ninternal controls were relevant to our audit objective: IRM and related IRS guidelines and the\nprocesses followed in the development of information technology projects. We evaluated these\ncontrols by conducting interviews with management and staff, attending meetings of the\nCADE 2 Test Program and project teams, attending on-site tests, and reviewing Program\ndocumentation such as the CADE 2 Program Test Plan, CADE 2 Requirements Management\nPlan, various test plans, and other documents that provided evidence of whether IRS systems\ntesting processes were followed and whether those processes were adequate.\n\n\n\n                                                                                            Page 22\n\x0c                    Customer Account Data Engine 2 (CADE 2): System\n                  Requirements and Testing Processes Need Improvements\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nAlan R. Duncan, Assistant Inspector General for Audit (Security and Information Technology\nServices)\nGwendolyn A. McGowan, Director (Systems Modernization and Applications Development)\nDanny R. Verneuille, Director\nKimberly R. Parmley, Audit Manager\nLarry W. Reimer, Information Technology Audit Manager\nSuzanne M. Westcott, Lead Auditor\nCharlene L. Elliston, Senior Auditor\nLouis Lee, Senior Auditor\nWallace C. Sims, Senior Auditor\nDavid F. Allen, Senior Program Analyst\nHung Q. Dam, Information Technology Specialist\nArlene Feskanich, Information Technology Specialist\nK. Kevin Liu, Information Technology Specialist\n\n\n\n\n                                                                                     Page 23\n\x0c                    Customer Account Data Engine 2 (CADE 2): System\n                  Requirements and Testing Processes Need Improvements\n\n\n\n                                                                           Appendix III\n\n                         Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nDeputy Commissioner for Services and Enforcement SE\nCommissioner, Wage and Investment Division SE:W\nDeputy Chief Information Officer for Strategy/Modernization OS:CTO\nAssociate Chief Information Officer, Applications Development OS:CTO:AD\nAssociate Chief Information Officer, Cybersecurity OS:CTO:C\nAssociate Chief Information Officer, Modernization \xe2\x80\x93 Program Management Office\nOS:CTO:MP\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaisons:\n       Commissioner, Wage and Investment Division SE:W:S:PRA:PEI\n       Director, Risk Management Division OS:CTO:SP:RM\n\n\n\n\n                                                                                 Page 24\n\x0c                      Customer Account Data Engine 2 (CADE 2): System\n                    Requirements and Testing Processes Need Improvements\n\n\n\n                                                                                      Appendix IV\n\n                                Glossary of Terms\n\nTerm                  Definition\nApplications          The IRS organization responsible for building, testing, delivering, and\nDevelopment           maintaining integrated information applications systems, i.e., software solutions,\nOrganization          to support IRS modernized systems and the production environment.\nAuthorization to      A formal declaration by a Designated Approving Authority that authorizes\nOperate               operation of a business product and explicitly accepts the risk to agency\n                      operations (including mission, functions, image, or reputation), agency assets, or\n                      individuals based on the implementation of an agreed-upon set of information\n                      security controls.\nBidirectional         Bidirectional traceability of requirements can be established from the source\nTraceability          requirement to its lower level requirements and from the lower level\n                      requirements back to their source. Such bidirectional traceability helps\n                      determine that all source requirements have been completely addressed and that\n                      all lower level requirements can be traced to a valid source. Also, once test cases\n                      are developed for associated requirements, bidirectional traceability enables\n                      requirements to trace to test cases and test cases to trace to requirements.\nCADE 2 Transition     Modifies the IMF from a weekly cycle to daily processing, establishes a new\nState 1 Solution      relational database to store all individual taxpayer account information, and\n                      provides management tools to more effectively use data for compliance and\n                      customer service. See Customer Account Data Engine.\nChange Request        The medium for requesting approval to change a baselined requirement, product,\n                      or other controlled item.\nConfiguration         The overall way a computer is set up that pertains to hardware and software.\nCryptographic         An encrypted or unreadable list of instructions, procedures, or formulas used to\nAlgorithm             solve a problem.\nCustomer Account      A major component of the IRS\xe2\x80\x99s Modernization Program. The system consists\nData Engine           of current and planned databases and related applications that work with the IRS\n                      Master File system (see Master File).\nCustomer              Requirements that describe a business or technical need, such as desired\nRequirement           functionality, acceptable performance, storage capacity, or system availability\n                      and reliability, in the language of the customer.\n\n\n\n                                                                                                Page 25\n\x0c                         Customer Account Data Engine 2 (CADE 2): System\n                       Requirements and Testing Processes Need Improvements\n\n\n\n\nTerm                     Definition\nDaily Processing         A project under the CADE 2 Program that, when completed, will change weekly\nProject                  individual taxpayer account processing to daily processing.\nDatabase                 The CADE 2 developed a centralized relational database. A relational database\n                         is a collection of data items organized as a set of formally described tables from\n                         which data can be accessed or reassembled in many different ways without\n                         having to reorganize the database tables.\nDatabase                 A project under the CADE 2 Program intended to implement the newest version\nImplementation           of the relational database.\nProject\nDatabase                 A collection of programs that can store, modify, and extract information from a\nManagement System        database.\nDeveloper Security       Addresses confidentiality, integrity, and availability of the software; data\nTest (SA-11)             processed by the system; and resolution of issues that could result in security\n                         vulnerabilities.\nEncryption               The process of making data unreadable by other humans or computers for the\n                         purpose of preventing others from gaining access to its contents.\nEnterprise               A unifying overall design or structure for an enterprise that includes business and\nArchitecture             organizational aspects of the enterprise as well as technology aspects. Enterprise\n                         Architecture divides the enterprise into its component parts and relationships and\n                         provides the principles, constraints, and standards to help align business area\n                         development efforts in a common direction. An Enterprise Architecture ensures\n                         that subordinate architectures and business system components developed within\n                         particular business areas and multiple projects fit together into a consistent,\n                         integrated whole.\nEnterprise Life Cycle    A structured business systems development method that requires the preparation\n                         of specific work products during different phases of the development process.\nFederal Information      A set of standards that describe document processing, encryption algorithms, and\nProcessing Standards     other information technology standards for use within nonmilitary Government\n                         agencies and by Government contractors and vendors who work with the\n                         agencies.\nFiling Season            The period from January 1 through April 15 when most individual income tax\n                         returns are filed.\n\n\n\n\n                                                                                                   Page 26\n\x0c                       Customer Account Data Engine 2 (CADE 2): System\n                     Requirements and Testing Processes Need Improvements\n\n\n\n\nTerm                     Definition\nFinal Integration Test   For the CADE 2 system, the Final Integration Test will be conducted in two\nPhase 1                  phases \xe2\x80\x93 Phase 1 and Phase 2. Phase 1 has been added to the testing life cycle to\n                         accelerate the timing of integrated system testing and provide additional time to\n                         take corrective action for any issues that might be identified. Phase 1 will be\n                         performed to validate the weekly cycle change, data migration, system\n                         integration, systems monitoring and trouble handling, balance and control,\n                         operations automation/scheduling, and system performance.\nFinal Integration Test   For the CADE 2 system, the Final Integration Test will be conducted in two\nPhase 2                  phases \xe2\x80\x93 Phase 1 and Phase 2. Phase 2 will be a \xe2\x80\x9ctraditional\xe2\x80\x9d filing season Final\n                         Integration Test that includes the 2012 Filing Season and legislative changes.\n                         The Final Integration Test is the integrated end-to-end testing of multiple\n                         systems that support the high-level business requirements of the IRS. It is\n                         designed to ensure that IRS systems interoperate correctly prior to production\n                         startup utilizing copies of production data in a near-production environment.\n                         The Final Integration Test is performed from the perspective that all IRS\n                         application systems are subsystems to an overall Tax Processing System. The\n                         Tax Processing System consists of hundreds of subsystems operating on many\n                         unique hardware and software platforms. The Final Integration Test verifies that\n                         data are transferred correctly between the systems within the Tax Processing\n                         System.\nHashing                  When referring to security, hashing is a method of taking data, encrypting it, and\n                         creating unpredictable, irreversible output. There are many different hashing\n                         algorithms. MD2, MD5, SHA, and SHA-1 are examples of hashing algorithms.\nIndividual Master        The IRS database that maintains transactions or records of individual\nFile                     tax accounts.\nInfrastructure           The fundamental structure of a system or organization. The basic fundamental\n                         architecture of any system (electronic, mechanical, social, political) determines\n                         how it functions and how flexible it is to meet future requirements.\nInitiation Phase         The first of four phases of the IRS testing life cycle. The Initiation Phase begins\n                         the test planning process to determine the test scope, cost, and schedule. It also\n                         includes requirements analysis and the development of the RTVM.\nIntegrated Data          The IRS computer system capable of retrieving or updating stored information;\nRetrieval System         it works in conjunction with a taxpayer\xe2\x80\x99s account records.\nJava Programming         Computer program instructions used by computer programmers to develop\nCode                     applications, scripts, or other sets of instructions for a computer to execute.\nLogical Operators        Another way of defining the Boolean operators: AND, OR, and NOT. The\n                         Boolean operators were developed by the English mathematician and computer\n                         pioneer, George Boole.\n\n                                                                                                     Page 27\n\x0c                          Customer Account Data Engine 2 (CADE 2): System\n                        Requirements and Testing Processes Need Improvements\n\n\n\n\nTerm                      Definition\nMaster File               The IRS database that stores various types of taxpayer account information. This\n                          database includes individual, business, and employee plans and exempt\n                          organizations data.\nMilestone                 Scheduled time period for providing a \xe2\x80\x9cgo/no-go\xe2\x80\x9d decision point in a program or\n                          project (can be associated with funding approval to proceed).\nNational Institute of     A nonregulatory Federal agency, within the Department of Commerce,\nStandards and             responsible for developing standards and guidelines, including minimum\nTechnology                requirements, for providing adequate information security for all Federal\n                          Government agency operations and assets.\nPersonally                Information that can be used to uniquely identify, contact, or locate a single\nIdentifiable              individual or that can be used with other sources to uniquely identify a single\nInformation               individual.\nPlan of Actions and       A management process that outlines weaknesses and delineates the tasks\nMilestones                necessary to mitigate them.\nRational Quality          An application used to manage testing activities, including test cases, across the\nManager                   testing life cycle. Rational Quality Manager was a pilot project for the CADE 2\n                          Program and was not used by all testing partners.\nRational Requisite        An application used for requirements management. The IRS has established\nPro                       ReqPro as its Enterprise Architecture standard for requirements management. It\n                          is used to capture detailed requirement data such as the requirement text and any\n                          supporting attributes to organize or clarify the requirement. The application also\n                          has the capability to create and maintain full requirements traceability within a\n                          single project or across multiple projects.\nRequirement               A formalization of a need and statement of a capability or condition that a system\n                          must have or meet to satisfy a contract, standard, or specification.\nRequirements              Routinely reports on requirements measures and metrics to provide leadership\nMeasures and Metrics      with objective information to evaluate the status of requirements and identify\nReport                    areas for remediation. For example, the requirements measures include\n                          requirements volatility, requirements traceability, requirements completeness,\n                          etc. The requirements metrics include the total number of requirements, the\n                          number of requirements by type, the number of revisions made to requirements,\n                          the number of requirements not traced, etc.\nRequirements              A tool that documents requirements and establishes the traceability relationships\nTraceability              between the requirements to be tested and their associated test cases and test\nVerification Matrix       results.\n\n\n\n\n                                                                                                      Page 28\n\x0c                       Customer Account Data Engine 2 (CADE 2): System\n                     Requirements and Testing Processes Need Improvements\n\n\n\n\nTerm                     Definition\nSecurity Certification   A security certification is an independent technical evaluation, for the purpose of\nand Accreditation        accreditation, that uses security requirements as the criteria for the evaluation.\n                         An accreditation is an authorization granted by a management official to operate\n                         the system based on the evaluation of the security controls.\nSource Code Security     The Cybersecurity organization conducts activities designed to ensure a system\xe2\x80\x99s\nReview                   security safeguards are in place and functioning as intended. Source code\n                         analysis will be used to test CADE 2 application code for potential security\n                         vulnerabilities. Source Code Security Review is the process of auditing the\n                         source code for an application to verify the proper security controls are present,\n                         that they work as intended, and that they have been invoked in all the right\n                         places.\nStakeholders             An individual or organization that is materially affected by the outcome of the\n                         system. Key stakeholders represent both business and technical functions that\n                         fully participate in the architecture development effort to ensure that directional\n                         guidance is both accurate and sufficient. These stakeholders are empowered to\n                         make project and architectural decisions. Examples of project stakeholders\n                         include the customer, the user group, the project manager, the development team,\n                         and the testers.\nStandard Query           A standardized query language for requesting information from a database.\nLanguage\nStandard Query           A form of attack on a database-driven website in which the attacker executes\nLanguage Injection       unauthorized Standardized Query Language commands by taking advantage of\n                         insecure code on a system connected to the Internet, bypassing the firewall.\nSystems Acceptance       A software test to ensure the designed and delivered software has met all system\nTest                     requirements. This is accomplished by validating that the project or system\n                         performs as expected when subjected to controlled test cases and data for both\n                         valid and invalid conditions.\nTest Case                A test case is created to specify and document the conditions to be tested and to\n                         validate that system functions meet requirements as translated into documented\n                         functional design. A test case also tests outside the normal or expected functions\n                         in order to find defects.\nTesting Partners         The CADE 2 testing partners are those IRS organizations (Enterprise Systems\n                         Testing, Cybersecurity, Applications Development, etc.) that participate in\n                         CADE 2 testing.\nTier 1 system            A system comprised of supercomputers and mainframe hardware and software.\n\n\n\n\n                                                                                                   Page 29\n\x0c                     Customer Account Data Engine 2 (CADE 2): System\n                   Requirements and Testing Processes Need Improvements\n\n\n\n\nTerm                   Definition\nTier 2 system          A system comprised of minicomputers and software, i.e., computers usually\n                       containing multiple microprocessors, capable of executing multiple processes\n                       simultaneously and oftentimes serve multiple users by way of a communications\n                       network. Local Area Network servers are often located in a space separate from\n                       the normal office environment. The minicomputer is more robust than a\n                       microcomputer.\nTraceability           Describes the life of a requirement from the initial source through its\n                       development and actual deployment into operations.\nUnified Work           Details the requested design and functionality of a system.\nRequest\nUser Acceptance Test   A test conducted to validate that the system works as designed and implemented\n                       and satisfies the business requirements of the system.\nValidation             Verification that something is correct or conforms to a certain standard.\nVulnerability          In computer security, vulnerability is a weakness which allows an attacker to\n                       reduce a system\xe2\x80\x99s information assurance.\nVulnerability          The Cybersecurity organization conducts activities designed to ensure a system\xe2\x80\x99s\nDetection Scans        security safeguards are in place and functioning as intended. Vulnerability\n                       Detection Scans verify whether security and privacy mechanisms designed to\n                       protect vulnerable areas of the system are configured properly and enforced.\n\n\n\n\n                                                                                                   Page 30\n\x0c       Customer Account Data Engine 2 (CADE 2): System\n     Requirements and Testing Processes Need Improvements\n\n\n\n                                                 Appendix V\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                       Page 31\n\x0c  Customer Account Data Engine 2 (CADE 2): System\nRequirements and Testing Processes Need Improvements\n\n\n\n\n                                                  Page 32\n\x0c  Customer Account Data Engine 2 (CADE 2): System\nRequirements and Testing Processes Need Improvements\n\n\n\n\n                                                  Page 33\n\x0c  Customer Account Data Engine 2 (CADE 2): System\nRequirements and Testing Processes Need Improvements\n\n\n\n\n                                                  Page 34\n\x0c  Customer Account Data Engine 2 (CADE 2): System\nRequirements and Testing Processes Need Improvements\n\n\n\n\n                                                  Page 35\n\x0c  Customer Account Data Engine 2 (CADE 2): System\nRequirements and Testing Processes Need Improvements\n\n\n\n\n                                                  Page 36\n\x0c  Customer Account Data Engine 2 (CADE 2): System\nRequirements and Testing Processes Need Improvements\n\n\n\n\n                                                  Page 37\n\x0c'